[00:01.130 --> 00:02.030]  Hi there.
[00:02.030 --> 00:05.010]  Welcome to my talk where I go through and brick
[00:05.230 --> 00:06.430]  a very expensive automobile,
[00:06.430 --> 00:08.470]  then I eventually make it faster.
[00:08.490 --> 00:09.390]  Hope you enjoy it.
[00:09.390 --> 00:11.350]  It was certainly the most complicated
[00:11.350 --> 00:13.990]  reverse engineering project I've ever worked on.
[00:19.820 --> 00:21.560]  So a little bit about me.
[00:21.560 --> 00:22.920]  My name is Patrick Kiley.
[00:22.920 --> 00:26.720]  I'm a member of the Penetration Testing Team at Rapid7.
[00:27.160 --> 00:31.000]  I've been working in the industry for about 17 years.
[00:31.000 --> 00:33.540]  I've done previous research that I've released
[00:33.540 --> 00:35.240]  on avionics security.
[00:35.240 --> 00:37.260]  I've done quite a bit of research
[00:37.820 --> 00:41.520]  specifically on internet-connected transportation platforms.
[00:41.520 --> 00:43.500]  I have experience in hardware hacking,
[00:43.500 --> 00:48.260]  internet of things, autonomous vehicles, and CAN bus.
[00:51.270 --> 00:53.870]  So here's a overview of all the topics
[00:53.870 --> 00:55.330]  that we're gonna cover.
[00:56.050 --> 00:58.630]  First, we're gonna go over the architecture of the Model S
[00:58.630 --> 01:01.470]  and specifically the battery management system.
[01:01.790 --> 01:03.250]  You'll find all that needs to be relevant
[01:03.250 --> 01:05.550]  when I explain some of the other stuff.
[01:05.990 --> 01:09.230]  The timeline of when the Performance Model S
[01:09.230 --> 01:11.350]  and Ludicrous were released.
[01:11.350 --> 01:13.510]  The hardware changes that have to occur
[01:14.210 --> 01:19.130]  in order to make a car move at Ludicrous speeds.
[01:19.130 --> 01:22.250]  The data stored within the diagnostic program
[01:22.250 --> 01:24.950]  that Tesla uses within its service center
[01:24.950 --> 01:26.630]  is called Toolbox.
[01:27.330 --> 01:29.290]  Some of the firmware changes,
[01:29.290 --> 01:30.610]  in fact, all of the firmware changes
[01:30.610 --> 01:32.570]  that have to occur to the battery management system
[01:32.570 --> 01:34.130]  to make it work.
[01:34.130 --> 01:38.350]  The process of modifying the high-current shunt.
[01:38.370 --> 01:40.650]  For those of you who haven't heard the term before,
[01:40.650 --> 01:44.650]  shunt is a method within electrical and electronics
[01:45.210 --> 01:47.850]  of measuring current using a known resistance value.
[01:47.850 --> 01:51.430]  And this is a device within the high-voltage battery
[01:51.430 --> 01:54.850]  that has to be modified in order to allow it
[01:54.850 --> 01:57.390]  to handle the power of Ludicrous.
[01:57.390 --> 01:59.210]  And it turns out it was a very important part
[01:59.210 --> 02:01.450]  of this whole process.
[02:02.010 --> 02:04.350]  And then we'll actually go over the upgrade process,
[02:04.350 --> 02:06.450]  how I failed and bricked the car,
[02:06.450 --> 02:09.350]  what I learned and had to have it towed across state lines,
[02:09.350 --> 02:11.390]  and some pretty cool things
[02:11.390 --> 02:13.850]  on how I was able to dig a little bit deeper
[02:13.850 --> 02:17.710]  on how the gateway works and some special files
[02:17.710 --> 02:22.030]  that it stores that determine the configuration of the car.
[02:22.130 --> 02:23.230]  And then next steps,
[02:23.230 --> 02:25.290]  can we actually take Ludicrous speed further?
[02:25.290 --> 02:25.950]  Should we?
[02:26.070 --> 02:28.610]  And what we need to do to make that happen.
[02:34.560 --> 02:36.760]  So a little bit about the architecture
[02:37.140 --> 02:38.780]  of the Model S overall.
[02:39.640 --> 02:41.300]  It has the central display.
[02:41.300 --> 02:42.620]  So if you sit in a Model S,
[02:42.620 --> 02:44.380]  there's a large screen to your right
[02:44.380 --> 02:45.880]  or to your left if you're a passenger
[02:45.880 --> 02:49.420]  or to your left if you're in a right-hand drive vehicle.
[02:49.500 --> 02:51.820]  And then there's also instrument cluster.
[02:51.820 --> 02:54.500]  Both of those actually run the NVIDIA Tegra
[02:54.500 --> 02:57.220]  up until recently where the central display
[02:57.220 --> 02:59.340]  switched over to Intel Atom.
[02:59.500 --> 03:01.200]  All this is gonna be,
[03:01.200 --> 03:03.580]  assuming it's an NVIDIA Tegra base
[03:03.580 --> 03:06.280]  because that Tegra has to be rooted
[03:06.280 --> 03:09.060]  for this research to work.
[03:09.340 --> 03:11.980]  The next component that's really critical to this
[03:11.980 --> 03:13.600]  is the gateway.
[03:13.920 --> 03:18.040]  The gateway sits between the central display,
[03:18.040 --> 03:20.260]  the instrument cluster and the rest of the vehicle.
[03:20.300 --> 03:23.580]  It acts as a firewall between the various CAN buses
[03:23.580 --> 03:27.120]  and between the CAN buses and the infotainment features
[03:27.120 --> 03:28.880]  as well as the internet connectivity
[03:28.880 --> 03:31.120]  and Wi-Fi connectivity, et cetera.
[03:31.820 --> 03:34.640]  The next component that's critical to this
[03:34.640 --> 03:36.260]  because that's where all the modifications in
[03:36.260 --> 03:37.680]  are the Powertrain CAN bus.
[03:37.680 --> 03:41.320]  This is a standard CAN bus running at 500 kilobits a second.
[03:41.320 --> 03:44.960]  It contains the battery management system, the drive units,
[03:44.960 --> 03:49.640]  all the charging and thermal controller set on that CAN bus.
[03:50.080 --> 03:51.920]  Beyond that, it's a standard vehicle CAN bus.
[03:51.920 --> 03:55.020]  It runs at, again, 500 kilobits a second,
[03:55.020 --> 03:58.000]  uses 11-bit arbitration IDs.
[03:58.000 --> 04:00.340]  And very importantly, it supports UDS.
[04:00.800 --> 04:03.840]  Many of the routines that you actually have to modify
[04:03.840 --> 04:06.640]  to do this require UDS to work.
[04:06.780 --> 04:09.720]  And having some knowledge of UDS turned out to be critical
[04:09.720 --> 04:11.340]  for me to do this research.
[04:11.340 --> 04:13.100]  I managed to learn quite a bit about it.
[04:14.420 --> 04:17.940]  So next we have the battery management system.
[04:18.040 --> 04:19.520]  Battery management system is a board
[04:19.520 --> 04:23.640]  that sits inside the battery pack at the rear.
[04:24.240 --> 04:30.580]  Primary microprocessor on is a TI TMS320C2809.
[04:30.760 --> 04:32.380]  There's a hardware backup for it.
[04:32.380 --> 04:34.400]  So in case there's some type of hardware failure,
[04:34.400 --> 04:37.160]  the hardware backup is an Altera CPLD.
[04:37.860 --> 04:40.360]  It's critical for one step of the process
[04:40.680 --> 04:42.140]  that we're going to do later.
[04:42.140 --> 04:45.800]  And then there's a current shunt and pre-charge resistor.
[04:46.840 --> 04:50.040]  The full reversing of these components is an ongoing project.
[04:50.040 --> 04:52.180]  So if you want to help reach out to me,
[04:52.180 --> 04:54.140]  because there's some of the skills like assembly
[04:54.140 --> 04:57.540]  for the TMS320 that I'm not very good with.
[04:58.860 --> 05:00.820]  So here's a skipped over some of the steps
[05:00.820 --> 05:02.680]  because it's easier to show on the screen.
[05:02.680 --> 05:04.220]  The high voltage contactors,
[05:04.220 --> 05:06.200]  you can see in the middle of those round circles
[05:06.200 --> 05:09.220]  with two large terminal posts on them.
[05:09.300 --> 05:12.240]  The high current shunt that sits,
[05:12.240 --> 05:14.040]  connects directly to the battery management system.
[05:14.040 --> 05:16.660]  It sits between one of the bus bars
[05:16.660 --> 05:19.700]  going from the battery to the contactors.
[05:19.880 --> 05:21.140]  There's a pre-charge resistor.
[05:21.140 --> 05:24.380]  So the way that the contactors are engaged are,
[05:24.820 --> 05:29.000]  when the vehicle wants to enable battery power
[05:29.000 --> 05:29.860]  to the rest of the vehicle,
[05:29.860 --> 05:31.600]  one of the contactors closes.
[05:31.700 --> 05:33.920]  And then the pre-charge resistor sits there
[05:33.920 --> 05:37.400]  as a slow, relatively slow current path
[05:38.040 --> 05:41.000]  for the rest of the high voltage system to come up
[05:41.000 --> 05:43.380]  to match the voltage of the battery.
[05:43.380 --> 05:45.040]  And it's only then that the BMS allows
[05:45.040 --> 05:46.760]  the other contactors to close.
[05:46.760 --> 05:48.120]  So you don't get inrush current
[05:48.120 --> 05:49.980]  and you don't get damaged components
[05:50.720 --> 05:54.360]  from the massive amount of power
[05:54.360 --> 05:56.560]  that's in that battery system.
[05:56.800 --> 06:01.680]  From there, we actually have 16 battery management boards.
[06:01.680 --> 06:05.700]  These contain all the bleed resistors
[06:05.700 --> 06:08.920]  so it can balance the voltage across all the packs.
[06:08.920 --> 06:10.620]  There are 96 of them,
[06:10.620 --> 06:14.200]  I believe six in each of the 16 modules.
[06:14.200 --> 06:18.340]  And then the BMDs also manage the,
[06:18.340 --> 06:19.720]  they monitor the temperature
[06:19.720 --> 06:22.700]  and of course the voltage of the individual battery modules.
[06:22.900 --> 06:24.040]  And then the last thing you see
[06:24.040 --> 06:25.780]  on the far right, voltage sense.
[06:26.820 --> 06:31.620]  Voltage sense is the component
[06:31.620 --> 06:34.000]  that actually sits on the four contactors of the battery.
[06:34.000 --> 06:35.860]  So not only can it actually detect
[06:35.860 --> 06:37.720]  when the battery contactors are open or closed,
[06:37.720 --> 06:40.540]  so if they're not in a state where the BMS expects them,
[06:40.540 --> 06:41.980]  but they're also used to measure
[06:41.980 --> 06:46.260]  the current voltage level coming from the battery.
[06:50.510 --> 06:52.590]  So a little bit of history,
[06:52.590 --> 06:55.730]  and this will be relevant in just a manual CY.
[06:55.730 --> 06:59.130]  So in 2014 of October,
[06:59.130 --> 07:03.350]  the performance dual motor Model S was announced.
[07:03.390 --> 07:06.750]  This was ridiculously fast when it was released,
[07:06.750 --> 07:09.510]  something like 3.4 seconds, zero to 60,
[07:09.510 --> 07:13.250]  but it wasn't until July of the next year
[07:13.810 --> 07:15.710]  that Ludicrous was announced.
[07:15.710 --> 07:17.850]  So when Ludicrous was announced,
[07:17.850 --> 07:20.190]  they announced it as a $10,000 option
[07:20.690 --> 07:24.330]  on new models of the new versions of the Model S.
[07:24.670 --> 07:26.770]  And it was $10,000 for a while.
[07:26.770 --> 07:28.770]  I think eventually they gave it away for free,
[07:28.770 --> 07:30.350]  but they keep going back and forth on it.
[07:30.350 --> 07:31.530]  That's really up to them.
[07:31.530 --> 07:34.550]  So it's always been kind of an optional item
[07:34.550 --> 07:35.930]  to make the car a little bit faster
[07:35.930 --> 07:38.170]  and have Ludicrous power on it.
[07:38.790 --> 07:40.830]  So $10,000 for new buyers,
[07:40.830 --> 07:46.510]  but as an offer for existing P85D owners,
[07:46.510 --> 07:48.830]  they offered it as a $5,000 upgrade.
[07:49.610 --> 07:51.470]  And the press release actually mentioned
[07:51.470 --> 07:54.530]  that the upgrade involved putting in new contactors
[07:54.530 --> 07:56.030]  and a pyrofuse.
[07:56.370 --> 07:58.590]  But after a while,
[07:58.590 --> 08:00.270]  of many of the performance battery packs,
[08:00.270 --> 08:02.370]  so the battery packs that would go into the car
[08:02.370 --> 08:04.370]  would already be capable of running Ludicrous mode
[08:04.370 --> 08:06.550]  and they just wouldn't have the feature turned on.
[08:07.890 --> 08:09.850]  And when I say Ludicrous capable,
[08:09.850 --> 08:12.790]  what I mean is that all you have to do
[08:12.790 --> 08:16.690]  is modify a single file on the gateway of the vehicle.
[08:16.690 --> 08:18.610]  So you route the vehicle,
[08:18.610 --> 08:19.790]  modify the single file,
[08:19.790 --> 08:21.610]  and it has Ludicrous mode.
[08:22.910 --> 08:26.310]  All the P100Ds, as far as I understand,
[08:26.310 --> 08:28.650]  and all the newer Model S's
[08:28.650 --> 08:31.050]  that are dual motor performance,
[08:31.590 --> 08:35.610]  all you have to do is modify this single line on the gateway.
[08:35.610 --> 08:38.190]  So I've got a little bit of information about that.
[08:38.190 --> 08:43.030]  So the gateway has this file called internal.dat.
[08:43.030 --> 08:45.890]  It stores the car's configuration.
[08:46.390 --> 08:47.590]  It has like, you know, for example,
[08:47.590 --> 08:48.770]  the type of wheels that are on it
[08:48.770 --> 08:50.970]  so that the displays actually reflect correctly,
[08:50.970 --> 08:52.870]  the color of the car,
[08:52.870 --> 08:55.670]  the version of the thermal controller,
[08:55.670 --> 08:58.430]  the version of the various drive units,
[08:58.430 --> 09:00.290]  and the version of the battery pack.
[09:00.950 --> 09:03.930]  Bunch of other configurations it also controls.
[09:03.930 --> 09:06.570]  It's also the file that is modified
[09:06.570 --> 09:09.950]  when I heard about how people had supercharging disabled.
[09:09.990 --> 09:11.350]  That's where it's disabled.
[09:11.350 --> 09:14.150]  It's actually disabled client side on the vehicle.
[09:14.730 --> 09:17.710]  But for the purposes of this talk,
[09:17.710 --> 09:21.330]  all you have to do is from a rooted vehicle,
[09:21.330 --> 09:24.270]  request this internal.dat file,
[09:24.890 --> 09:27.130]  make a quick file editor change
[09:27.130 --> 09:29.730]  of which the, you know, VI and nano are both there.
[09:29.730 --> 09:33.230]  So you go into internal.dat, add this line,
[09:33.230 --> 09:36.210]  performance add-on, and add the value of one.
[09:36.890 --> 09:39.950]  From there, you copy it back over to the gateway,
[09:39.950 --> 09:42.830]  reboot the gateway, and then boom, the vehicle's ludicrous.
[09:43.030 --> 09:44.910]  But that's not the case for the earlier models.
[09:44.910 --> 09:46.790]  The earlier models where you actually had to do quite a bit
[09:46.790 --> 09:47.770]  to the firmware.
[09:47.870 --> 09:49.390]  I'm just talking about the later ones.
[09:49.390 --> 09:51.330]  So the later ones that were ludicrous capable already,
[09:51.330 --> 09:53.250]  in other words, the battery was already capable
[09:53.250 --> 09:54.570]  of ludicrous speeds.
[09:54.650 --> 09:56.430]  This is the only thing you have to change.
[09:59.140 --> 10:01.700]  So, okay, kind of alluded to earlier,
[10:01.700 --> 10:05.400]  the earlier vehicles, you know, so some of the 90s,
[10:06.380 --> 10:10.800]  all of the 85s released up to that point required hardware.
[10:10.800 --> 10:12.680]  They required modification of the current shunt.
[10:12.680 --> 10:13.900]  You had to reflash the firmware
[10:13.900 --> 10:15.700]  in the battery management system.
[10:15.900 --> 10:17.980]  You had to recalibrate the current shunt.
[10:18.220 --> 10:20.860]  Only then could you actually add that value
[10:20.860 --> 10:24.900]  to the gateway file, internal.dat,
[10:24.900 --> 10:28.320]  and actually reconfigure it to support ludicrous speed.
[10:28.320 --> 10:30.720]  If you did it before that, it wouldn't show,
[10:30.720 --> 10:31.660]  actually give you the speed.
[10:31.660 --> 10:33.740]  It would show you the setting,
[10:33.740 --> 10:35.380]  but it wouldn't go any faster.
[10:37.160 --> 10:38.360]  So we did this.
[10:38.440 --> 10:40.540]  I actually upgraded an owner vehicle.
[10:41.100 --> 10:44.820]  We have a contact in Southern California.
[10:44.820 --> 10:45.740]  For those who don't know,
[10:45.740 --> 10:47.160]  I'm actually located in Las Vegas.
[10:47.400 --> 10:51.560]  So I threw some online forums of someone else
[10:51.560 --> 10:53.480]  who was actually hacking on their Tesla.
[10:54.540 --> 10:55.760]  Guy owned a body shop.
[10:55.760 --> 10:57.580]  He was willing to let me loan his lift.
[10:57.580 --> 10:59.380]  So a lift isn't something you can just kind of go to a guy
[10:59.380 --> 11:01.880]  and say, hey, can I borrow your lift for a couple of days?
[11:02.480 --> 11:03.820]  Because they'd be like, no, I have this thing
[11:03.820 --> 11:04.780]  called insurance.
[11:04.780 --> 11:06.720]  And no, just go away.
[11:06.920 --> 11:08.980]  So he let me do this, very gracious.
[11:08.980 --> 11:10.020]  Thank you, Bitbuster.
[11:10.120 --> 11:12.060]  Call you out here at the end.
[11:12.680 --> 11:15.580]  But another little quick anecdote,
[11:15.580 --> 11:17.480]  this guy who loaned me this garage,
[11:17.480 --> 11:19.780]  he was actually hacking on a Model S.
[11:19.780 --> 11:24.960]  He took the car and actually enabled autopilot version two
[11:25.500 --> 11:27.120]  on an autopilot one car.
[11:27.120 --> 11:29.440]  So he added all eight of the cameras,
[11:30.030 --> 11:31.280]  put in the newer computer,
[11:31.280 --> 11:33.720]  replaced the steering rack and a bunch of other stuff
[11:34.380 --> 11:39.480]  and actually got retrofitted autopilot two.
[11:39.580 --> 11:41.160]  So all the full self-driving stuff
[11:41.600 --> 11:43.780]  to an older model vehicle.
[11:44.020 --> 11:45.020]  Pretty cool stuff.
[11:45.020 --> 11:46.200]  I was pretty impressed with that.
[11:46.200 --> 11:47.620]  And I believe he's the first person in the world
[11:47.620 --> 11:48.700]  to ever do that.
[11:50.300 --> 11:52.520]  So here's a picture of the pack dropped.
[11:52.820 --> 11:55.720]  It was fairly complicated, but not too hard.
[11:55.720 --> 11:58.560]  You know, you remove the central bolts
[11:58.560 --> 12:00.680]  and then lower it down onto this big heavy rack
[12:00.680 --> 12:02.680]  that can support the weight of the entire vehicle.
[12:02.680 --> 12:04.140]  And then you remove the ones along the edges
[12:04.140 --> 12:05.760]  and then raise the car back up.
[12:05.880 --> 12:07.580]  Battery pack drops out.
[12:07.580 --> 12:10.080]  All the electrical connections are quick disconnects.
[12:10.080 --> 12:11.940]  The coolant is a quick disconnect.
[12:11.980 --> 12:14.160]  I believe this is because originally Tesla
[12:14.160 --> 12:15.860]  was toying around with this idea
[12:15.860 --> 12:19.100]  of having swappable battery packs for people on the road.
[12:19.100 --> 12:21.420]  I believe they had a pilot program at one point.
[12:21.700 --> 12:23.620]  It just never really seemed to go anywhere.
[12:23.620 --> 12:26.820]  So they make it really easy to drop the pack
[12:27.380 --> 12:29.500]  as long as you have access to the appropriate equipment.
[12:31.780 --> 12:33.760]  So here in this next picture,
[12:33.760 --> 12:35.420]  we have a picture of the fuse bay,
[12:35.420 --> 12:36.620]  which is up at the front of the vehicle
[12:36.620 --> 12:41.240]  on the opposite side of where the coolant tubes enter the pack.
[12:41.300 --> 12:43.860]  Here, the cover over the fuse is removed
[12:43.860 --> 12:45.340]  and the old fuse is visible,
[12:45.340 --> 12:47.360]  the fuse that actually has to come out.
[12:49.200 --> 12:51.880]  And then on the right, we have the contactor bay
[12:51.880 --> 12:55.540]  with it opened up, the cover plate removed
[12:55.540 --> 12:57.820]  and the old contactors removed.
[12:58.920 --> 13:01.860]  All right, here we have a close-up of the current shunt.
[13:01.860 --> 13:03.860]  You can see it sits right next to the BMS.
[13:05.800 --> 13:08.580]  And then the new contactors are installed at this point.
[13:11.300 --> 13:13.940]  Here's a close-up of the BMS.
[13:14.440 --> 13:16.920]  You can see that it just sits at the very bottom of the bay
[13:16.920 --> 13:19.620]  and it's just kind of on the right side or left
[13:19.620 --> 13:21.160]  if you're staring at the car from the front.
[13:21.160 --> 13:22.880]  But from my perspective, it's on the right.
[13:24.120 --> 13:27.060]  And you can see the TMS 320 right there,
[13:27.060 --> 13:29.140]  kind of in the middle, CPLD off to the right
[13:29.140 --> 13:32.440]  and what is that between the two?
[13:32.580 --> 13:33.780]  Enhance.
[13:34.020 --> 13:35.740]  Oh, that's interesting.
[13:35.740 --> 13:37.780]  That label says JTAG.
[13:38.260 --> 13:40.160]  Get into that later.
[13:40.720 --> 13:42.440]  Yeah, it actually has JTAG.
[13:42.440 --> 13:45.900]  The BMSs that I messed with on my bench,
[13:45.900 --> 13:48.000]  none of them actually had that connector.
[13:48.000 --> 13:50.380]  It was all covered over with conformal coating
[13:50.380 --> 13:52.980]  but the one in the car that I modified
[13:52.980 --> 13:57.760]  actually had these headers on here that say JTAG.
[13:57.760 --> 13:59.160]  Kind of interesting.
[14:01.180 --> 14:02.580]  Another thing that you have to do
[14:03.120 --> 14:06.560]  is you actually have to replace a second fuse.
[14:06.560 --> 14:08.760]  So there's older vehicles.
[14:08.760 --> 14:11.140]  This is underneath the rear seat.
[14:11.320 --> 14:13.520]  There's a fuse between the center thing
[14:13.520 --> 14:15.060]  called the high voltage junction box
[14:15.410 --> 14:16.960]  and the front drive unit.
[14:17.240 --> 14:19.800]  So one of the things that I kind of found
[14:19.800 --> 14:21.720]  by digging around in Toolbox that we'll get into later
[14:21.720 --> 14:25.340]  is you actually have to replace this fuse with a bus bar.
[14:25.340 --> 14:26.160]  Yeah, that's right.
[14:26.160 --> 14:30.480]  The instructions say you replace the fuse with a bus bar.
[14:30.480 --> 14:31.560]  So we did that.
[14:32.160 --> 14:34.100]  Here's the front fuse.
[14:34.100 --> 14:35.400]  Here's the front fuse removed
[14:35.400 --> 14:38.120]  and here's the front fuse replaced with the bus bar.
[14:38.120 --> 14:40.820]  Put it all back together, put the seat back in,
[14:40.820 --> 14:43.240]  connect all the high voltage interlocks,
[14:43.240 --> 14:46.900]  back up and that part is done.
[14:47.460 --> 14:48.800]  So what about front bar?
[14:48.800 --> 14:52.420]  This is really where the majority of my time went.
[14:52.760 --> 14:56.040]  The physical work was actually pretty easy to figure out.
[14:56.040 --> 14:57.700]  Tesla actually publicly talked about
[14:57.700 --> 14:59.740]  the components that were involved.
[15:02.050 --> 15:04.370]  The firmware was the hard part.
[15:04.850 --> 15:07.230]  And to do this, we need to dig into some Python.
[15:07.730 --> 15:11.330]  Tesla uses a diagnostic tool called Toolbox.
[15:11.330 --> 15:16.130]  It's a Python Windows executable.
[15:16.130 --> 15:16.850]  That's right.
[15:16.850 --> 15:19.510]  It's an executable written in Python,
[15:19.510 --> 15:20.890]  but it runs in Windows.
[15:20.890 --> 15:23.990]  So it's been compiled and then encrypted.
[15:23.990 --> 15:27.410]  It uses these plugins that are compiled and encrypted,
[15:27.410 --> 15:29.870]  it's designed to work without a connection to the internet.
[15:29.870 --> 15:32.250]  So all the information that you need to decrypt
[15:32.250 --> 15:34.770]  these indual files called scrambled,
[15:34.770 --> 15:36.790]  as you can kind of see in this image,
[15:36.790 --> 15:40.370]  are actually on the executable.
[15:40.370 --> 15:42.050]  So if you were able to get an image
[15:42.050 --> 15:44.350]  or grab the correct files,
[15:44.890 --> 15:46.470]  you're able to decrypt these modules.
[15:46.470 --> 15:48.190]  To be completely honest,
[15:48.190 --> 15:49.950]  this wasn't my work to figure this out.
[15:49.950 --> 15:52.430]  This was other people that actually figured this out.
[15:53.150 --> 15:55.890]  They had done some of the decompiling as well.
[15:55.890 --> 15:59.390]  So you can use uncompile six to actually run
[15:59.390 --> 16:03.770]  the PYC compiled files and get Python source code.
[16:03.970 --> 16:05.270]  I did a lot of that.
[16:05.270 --> 16:07.570]  I wrote a really, really ugly Python script
[16:07.570 --> 16:10.910]  to iterate through every single one of the scramble files,
[16:10.910 --> 16:12.750]  because the scramble files are also all kind of
[16:12.750 --> 16:13.590]  zipped up together.
[16:13.590 --> 16:15.550]  There's a bunch of separate source code files
[16:15.550 --> 16:18.330]  underneath each one in separate directories.
[16:18.330 --> 16:19.970]  So I iterated through them all,
[16:21.570 --> 16:22.970]  ran uncompile against them,
[16:22.970 --> 16:24.510]  and then did some additional work
[16:24.510 --> 16:26.170]  that I'll talk about in the next slides.
[16:26.270 --> 16:29.090]  But they also left all the source code comments in place.
[16:29.090 --> 16:29.910]  So thank you.
[16:29.910 --> 16:32.910]  That actually helped me figure this out.
[16:33.650 --> 16:37.130]  So this is an example of just the header of a file.
[16:37.430 --> 16:38.990]  This is the UDS one.
[16:39.430 --> 16:42.810]  You can see it actually has all of the comments
[16:42.810 --> 16:44.130]  here in place.
[16:44.330 --> 16:46.930]  Here's the headers added by uncompile,
[16:46.930 --> 16:49.110]  but it actually shows when it was compiled,
[16:49.110 --> 16:51.050]  who compiled it, who's the author,
[16:51.050 --> 16:52.630]  gives me his email address too.
[16:53.090 --> 16:55.630]  And then the copyright information on it.
[16:58.270 --> 17:01.050]  So here's the kind of thing that I was able to actually see
[17:01.050 --> 17:02.570]  by digging through all these.
[17:03.050 --> 17:08.390]  This is one of the specific files used
[17:08.390 --> 17:09.510]  to configure for Ludicrous.
[17:09.510 --> 17:11.110]  So this is the performance add-on config.
[17:11.110 --> 17:12.550]  This is the one that modifies the gateway
[17:12.550 --> 17:14.770]  if you don't do it manually like I did.
[17:14.910 --> 17:19.850]  And it tells you that you first have to verify
[17:19.850 --> 17:21.350]  the vehicle can be configured.
[17:22.630 --> 17:23.550]  For Ludicrous mode,
[17:23.550 --> 17:25.230]  the vehicle needs to be all wheel drive
[17:25.230 --> 17:26.990]  and have a battery pack config
[17:26.990 --> 17:29.510]  that supports the 1500 amp current discharge.
[17:29.510 --> 17:30.790]  So this is assuming the battery pack
[17:30.790 --> 17:32.230]  has already been modified.
[17:32.790 --> 17:35.390]  There are other routines in Toolbox
[17:35.390 --> 17:37.210]  that actually go through this.
[17:37.950 --> 17:41.130]  One of the most important things in these Toolbox files
[17:41.130 --> 17:42.450]  were these data structures.
[17:42.450 --> 17:44.750]  So you can see these two variable names,
[17:44.750 --> 17:47.190]  three variable names, qt-resource-data,
[17:47.190 --> 17:49.970]  qt-resource-name, qt-resource-struct.
[17:50.170 --> 17:52.390]  My really, really ugly Python script
[17:52.390 --> 17:53.410]  went through those
[17:53.410 --> 17:56.130]  and actually converted those back into binary.
[17:56.670 --> 17:57.890]  And then from there,
[17:57.890 --> 18:00.070]  I ran binwalk against those binary files
[18:00.070 --> 18:03.170]  and I got a ton of useful information.
[18:05.980 --> 18:07.780]  Things like this,
[18:07.780 --> 18:10.860]  this is the pointer that tells me exactly how to do it.
[18:10.860 --> 18:12.490]  It says that,
[18:13.800 --> 18:15.440]  so we already know that the donor vehicle
[18:15.440 --> 18:17.200]  has a pack ID of 57.
[18:17.200 --> 18:18.060]  I didn't say that previously,
[18:18.060 --> 18:20.960]  but the donor vehicle had a pack ID of 57.
[18:20.960 --> 18:21.580]  It says, okay,
[18:21.580 --> 18:24.480]  so if you're gonna change pack ID,
[18:24.480 --> 18:26.720]  battery pack ID 57 to 70,
[18:26.720 --> 18:29.720]  here are the three firmware files that you need.
[18:29.760 --> 18:32.040]  Okay, well, where do I get those firmware files?
[18:32.160 --> 18:33.020]  Turns out they were stored
[18:33.020 --> 18:34.700]  within those Python data structures.
[18:34.700 --> 18:36.840]  When I ran binwalk against it,
[18:37.400 --> 18:39.520]  I actually got a tar file of firmware.
[18:39.520 --> 18:40.700]  And when you untar that file,
[18:40.700 --> 18:44.160]  you get every single one of these hex files of firmware.
[18:44.160 --> 18:47.260]  It was all stored within the Python executable,
[18:47.260 --> 18:48.380]  all right there,
[18:49.340 --> 18:51.060]  ready to be used.
[18:51.060 --> 18:55.140]  So for this upgrade, pack 57 becomes pack 70.
[18:55.140 --> 18:58.840]  Pack 57 is a 1300 amp battery pack,
[18:58.840 --> 19:01.180]  pack 70 is a 1500 amp.
[19:02.240 --> 19:03.740]  One of the things that I kind of did
[19:03.740 --> 19:05.180]  that I thought was interesting,
[19:05.740 --> 19:08.140]  since we're still talking about the firmware,
[19:08.140 --> 19:11.400]  is I did some differential analysis of the bootloaders.
[19:11.400 --> 19:13.580]  So I have the two different bootloaders here,
[19:13.580 --> 19:14.540]  57 and 70.
[19:14.540 --> 19:17.240]  You can see that there really weren't that many changes.
[19:17.260 --> 19:20.100]  On one line, it's a single bit that changes.
[19:21.060 --> 19:22.500]  The other one that, you know,
[19:22.500 --> 19:24.640]  537 and 730 that you see here
[19:25.100 --> 19:30.220]  are just the R and then the actual number.
[19:30.220 --> 19:31.800]  One is 57, one is 70.
[19:31.800 --> 19:35.160]  And then we have this short little string of,
[19:35.160 --> 19:36.540]  you know, group of hex characters.
[19:36.540 --> 19:37.260]  And that was the only change
[19:37.260 --> 19:40.320]  between the different versions of the bootloader.
[19:42.920 --> 19:44.520]  But it's not the application file.
[19:44.520 --> 19:46.900]  Application file had a few, a bunch of different changes.
[19:46.900 --> 19:48.080]  It's just the bootloaders themselves
[19:48.080 --> 19:49.500]  were all very, very similar.
[19:49.500 --> 19:52.600]  So to do this upgrade,
[19:52.600 --> 19:55.220]  all the instructions and files that you need for this
[19:55.220 --> 19:57.240]  were stored in these toolbox files.
[19:59.300 --> 20:02.960]  There also were a bunch of other really helpful files.
[20:02.960 --> 20:04.380]  DBC files, for those of you
[20:04.380 --> 20:06.980]  who've hacked on a vehicle before,
[20:06.980 --> 20:09.900]  DBC is the instruction file
[20:09.900 --> 20:12.340]  that stores all of the various CAN bus signals
[20:12.940 --> 20:14.980]  so that you can interpret them.
[20:14.980 --> 20:17.360]  And these individual DBC files
[20:17.360 --> 20:19.140]  for all the various CAN buses of the vehicle
[20:19.140 --> 20:21.400]  were stored within toolbox.
[20:21.600 --> 20:25.380]  The ODX files, ODX is a XML style format
[20:25.380 --> 20:28.620]  that defines how to do diagnostics,
[20:28.620 --> 20:30.360]  how to do firmware upgrades,
[20:30.360 --> 20:32.520]  how to get security access.
[20:33.080 --> 20:34.840]  A bunch of other stuff are stored
[20:34.840 --> 20:36.340]  in kind of the ODX file format.
[20:36.340 --> 20:38.460]  So the diagnostic routines are ODX,
[20:38.460 --> 20:41.020]  the CAN bus interpretation routines are DBC.
[20:41.880 --> 20:43.780]  And then there were also files
[20:43.780 --> 20:46.640]  that stored the calibration data for the shunt.
[20:46.640 --> 20:48.780]  Those are stored also in a Python pickle.
[20:49.280 --> 20:51.920]  Turns out that every single vehicle
[20:51.920 --> 20:55.540]  that was eligible for ludicrous upgrades
[20:55.540 --> 20:57.060]  by upgrading the battery
[20:57.560 --> 21:00.620]  had the shunt calibration values stored
[21:00.620 --> 21:04.220]  as an array within this Python pickle file.
[21:04.220 --> 21:06.400]  So you have to actually look up the shunt
[21:06.400 --> 21:08.940]  on the vehicle that you're upgrading,
[21:08.940 --> 21:11.080]  compare it to this pickle file
[21:11.080 --> 21:12.960]  and get these shunt calibration values
[21:12.960 --> 21:14.620]  that I'm gonna show you in a little bit.
[21:15.320 --> 21:17.280]  And then of course, there are all these text comments
[21:17.280 --> 21:18.420]  and other data structures
[21:18.420 --> 21:20.480]  that kind of eventually allowed me
[21:20.480 --> 21:22.420]  to piece together the process.
[21:23.620 --> 21:26.700]  So kind of talk a little bit more about UDS.
[21:26.700 --> 21:28.360]  Here's what a UDS file looks like.
[21:28.360 --> 21:30.560]  This is the one for actually shunt calibration.
[21:30.560 --> 21:33.100]  It shows that there are all these parameters,
[21:33.100 --> 21:37.360]  HWID, CGI1, CAU1, there's also a CRC value
[21:40.420 --> 21:43.220]  and a serial number, a serial number.
[21:43.220 --> 21:46.680]  And again, CAN networks use a DVC file,
[21:46.680 --> 21:49.120]  UDS use ODX or GMD.
[21:49.880 --> 21:52.180]  So I use the commercial tool Vehicle Spy
[21:52.180 --> 21:57.020]  to actually do the next steps of this research.
[21:57.020 --> 22:00.060]  I took these DVC files and these ODX files
[22:00.060 --> 22:02.180]  and imported them to Vehicle Spy,
[22:02.180 --> 22:03.400]  plugged it into the bench,
[22:03.400 --> 22:05.000]  plugged it into an actual vehicle
[22:05.000 --> 22:06.560]  and just sat there and listened to traffic
[22:06.560 --> 22:08.520]  so I could try and figure it out.
[22:08.540 --> 22:12.520]  So it turns out that the ID's 232,
[22:12.520 --> 22:15.680]  the arbitration ID is 232 for the BMS,
[22:15.680 --> 22:19.840]  266 and 2E5 for the two drive inverters,
[22:19.840 --> 22:22.420]  they identify max power, those are variables.
[22:22.420 --> 22:24.340]  They vary based on state of charge,
[22:24.340 --> 22:26.360]  temperature and power recently used.
[22:26.480 --> 22:29.620]  On Sunday, I'm actually gonna have an in-depth,
[22:29.880 --> 22:32.740]  a deep dive into these DVC files
[22:32.740 --> 22:33.960]  and some of the information
[22:33.960 --> 22:36.500]  because I wanna actually map out the entire power curve
[22:36.500 --> 22:39.080]  to see if I can put that back
[22:39.080 --> 22:40.500]  and actually figure out where the power curve
[22:40.500 --> 22:42.640]  is stored in the BMS firmware.
[22:43.100 --> 22:45.500]  But check that out if you wanna actually see
[22:45.960 --> 22:48.320]  a little bit further into the talk
[22:48.320 --> 22:50.500]  than what I'm able to cover on this.
[22:50.740 --> 22:53.760]  So what a DVC does,
[22:53.760 --> 22:56.760]  this is what raw CAN bus traffic looks like.
[22:56.820 --> 22:58.000]  You can see all the IDs,
[22:58.000 --> 23:00.760]  you know, 102 through 302 down here,
[23:00.760 --> 23:02.700]  and you just see a bunch of data.
[23:02.700 --> 23:05.380]  But once you put in a DVC file,
[23:05.380 --> 23:07.000]  you can actually translate it all.
[23:07.000 --> 23:12.040]  So you can actually see that all the values for BMS
[23:12.040 --> 23:13.480]  basically means that this is the BMS
[23:13.480 --> 23:15.160]  who's actually sending this.
[23:15.860 --> 23:17.420]  You can see the power available.
[23:17.420 --> 23:20.520]  This is power available before the drive units are engaged.
[23:20.520 --> 23:22.980]  So this is just the car sitting in an off mode
[23:23.640 --> 23:25.240]  before you press the brake pedal
[23:25.240 --> 23:28.020]  and engage the drive units
[23:28.020 --> 23:29.820]  and wake the car up all the way.
[23:30.940 --> 23:35.080]  So again, ODX routines for shunt calibration.
[23:35.080 --> 23:38.220]  Here's the actually ODX routine imported into Vehicle Spy
[23:38.220 --> 23:43.320]  for actually doing the shunt calibration.
[23:43.320 --> 23:48.660]  So what you do is you actually connect to the car,
[23:48.660 --> 23:49.480]  read the value of the shunt.
[23:49.480 --> 23:50.660]  You actually have to do some firmware stuff,
[23:50.660 --> 23:51.860]  but I'll go over that in a minute.
[23:51.920 --> 23:53.700]  And then modify these values.
[23:53.700 --> 23:56.280]  So these are values that are already modified.
[23:56.580 --> 23:59.100]  The reason thing I thought was interesting
[23:59.100 --> 24:02.300]  is the CGI1 and CAE1 values are all identical
[24:02.300 --> 24:05.000]  for a ludicrous vehicle where they weren't before.
[24:05.320 --> 24:07.840]  And then we have a serial number and a CRC.
[24:07.840 --> 24:09.380]  And then of course the hardware ID.
[24:09.880 --> 24:12.260]  This is actually, it shows write success with that.
[24:12.260 --> 24:14.800]  This is actually a read function.
[24:15.100 --> 24:18.000]  So the 23 is a read function.
[24:18.920 --> 24:21.280]  There's a separate function for actually writing the shunt.
[24:21.280 --> 24:23.440]  And again, I actually demonstrate the process
[24:23.440 --> 24:25.360]  on Sunday in the deep dive.
[24:26.460 --> 24:28.120]  So one of the things I found out
[24:28.120 --> 24:29.860]  by building this all on a bench
[24:30.440 --> 24:32.600]  and doing this work is the shunt
[24:32.600 --> 24:35.000]  also needed a hardware modification.
[24:37.280 --> 24:40.340]  After I did the upgrade on a bench,
[24:40.840 --> 24:42.600]  I kept getting this error message
[24:42.600 --> 24:47.020]  that would pop up on the central display.
[24:47.020 --> 24:49.380]  And also, you know, within the DVCs of a CAN bus,
[24:49.380 --> 24:52.400]  it gives you arrays of all the various error messages.
[24:52.400 --> 24:55.740]  And it talks about overcurrent sense.
[24:55.740 --> 24:58.080]  There's a particular error message that just popped up
[24:58.080 --> 25:03.960]  showing overcurrent sense after I modified the firmware.
[25:03.960 --> 25:06.440]  But the error was not there before.
[25:07.540 --> 25:09.280]  So digging into this,
[25:09.280 --> 25:11.340]  what I did is I actually made a breakout board
[25:12.580 --> 25:14.660]  and used a logic analyzer
[25:14.660 --> 25:17.020]  and analyzed all the signals coming off of this shunt.
[25:17.020 --> 25:18.740]  Actually, it turns out it's a very simple
[25:19.340 --> 25:21.440]  communications protocol that it used.
[25:21.440 --> 25:24.740]  But this one wire, as it turns out,
[25:24.740 --> 25:26.720]  eventually connects to the CPLD.
[25:26.720 --> 25:31.340]  So it looks like that there's a sensor within this shunt
[25:33.500 --> 25:35.800]  that for ludicrous power, they want disconnected.
[25:35.800 --> 25:36.840]  They don't want it to be able to communicate
[25:36.840 --> 25:38.240]  to the CPU DLD.
[25:38.240 --> 25:40.240]  And since the CPLD didn't change,
[25:41.420 --> 25:42.800]  assuming it has something to do with it,
[25:42.800 --> 25:46.000]  you know, the current values going through the CPLD,
[25:46.000 --> 25:47.680]  they didn't want to modify.
[25:47.680 --> 25:49.080]  Tesla didn't want them modified.
[25:49.480 --> 25:52.480]  So when this wire was disconnected,
[25:52.480 --> 25:53.620]  that error message went away.
[25:53.620 --> 25:56.920]  So that basically tells me that there's a wire
[25:56.920 --> 25:59.400]  that has to be disconnected during the process
[26:00.340 --> 26:03.620]  of actually doing this upgrade.
[26:04.380 --> 26:09.680]  So again, go to California, drop the battery pack,
[26:11.280 --> 26:13.460]  drain the battery as much as possible,
[26:14.260 --> 26:17.720]  do all the hardware stuff, modify the shunt,
[26:17.720 --> 26:20.440]  disconnect that wire, very scary stuff.
[26:20.940 --> 26:23.000]  And then there's actually these special gloves
[26:23.000 --> 26:26.060]  that I purchased, special gloves and special socket wrenches
[26:26.060 --> 26:28.600]  that are used when you're dealing with high voltage.
[26:28.600 --> 26:32.640]  They're a rubber glove with a leather over lining.
[26:32.640 --> 26:33.920]  And then you're just careful about, you know,
[26:33.920 --> 26:36.860]  where you're standing and proximity to the other components.
[26:36.860 --> 26:40.380]  And even though the fuse isolates you,
[26:40.380 --> 26:42.540]  there's still enough of a charge
[26:42.540 --> 26:45.100]  and something where you can shock yourself.
[26:45.100 --> 26:47.740]  And again, if you're touching the wrong things,
[26:47.740 --> 26:49.340]  you can actually hurt yourself.
[26:49.340 --> 26:52.140]  So there's quite a few precautions you actually have to do.
[26:52.140 --> 26:53.960]  I talked to a few Tesla techs and they told me
[26:53.960 --> 26:56.400]  what the gloves were that they were.
[26:56.400 --> 26:57.380]  So I ordered a set of those
[26:57.380 --> 27:00.540]  and used all possible precautions for doing that.
[27:00.760 --> 27:03.600]  So we dropped the pack, do all the hardware stuff,
[27:04.500 --> 27:05.320]  reinstall the pack.
[27:05.320 --> 27:06.880]  So the reinstalling the pack was probably
[27:06.880 --> 27:11.180]  the most pucker factor part of the whole install
[27:11.720 --> 27:12.980]  because I was really nervous
[27:12.980 --> 27:14.520]  about having a rich rebuilds moment
[27:14.520 --> 27:17.120]  and actually damaging one of the leads
[27:17.120 --> 27:19.060]  because then I'd have to leave the vehicle there
[27:19.060 --> 27:21.680]  for a long time and have the customer angry at me.
[27:21.680 --> 27:25.680]  So I used a bore scope, both back here at the battery pack,
[27:25.680 --> 27:29.260]  these are the main battery pack contacts,
[27:29.260 --> 27:30.780]  going back into the battery
[27:30.780 --> 27:33.780]  and then up front where the coolant lines were,
[27:33.780 --> 27:36.820]  I scoped those and then just very slowly
[27:36.820 --> 27:38.500]  lowered the vehicle onto them all.
[27:38.500 --> 27:40.100]  Everything went flawlessly.
[27:41.060 --> 27:43.020]  Reinstalled all the hardware,
[27:43.020 --> 27:45.620]  lifted the car back up, verified everything,
[27:45.620 --> 27:47.220]  dropped it completely off the lift
[27:47.740 --> 27:49.420]  and then had to do all the firmware stuff.
[27:49.420 --> 27:53.320]  So it turns out you have to actually flash the BMS
[27:53.320 --> 27:54.620]  with special firmware.
[27:54.620 --> 27:56.380]  There was those three files that actually says
[27:56.380 --> 27:58.760]  that to do the shunt calibration,
[27:58.760 --> 28:00.900]  you load this file onto the BMS.
[28:00.900 --> 28:02.260]  So there's a special application file
[28:02.260 --> 28:03.980]  just for doing the shunt calibration.
[28:04.220 --> 28:06.560]  Look up the shunt value, recalibrate the shunt
[28:06.560 --> 28:08.640]  with the value based on the serial number.
[28:08.840 --> 28:10.360]  I had already extracted that serial number
[28:10.360 --> 28:12.560]  and validated that it was in the table.
[28:12.560 --> 28:14.020]  So I knew I was okay there.
[28:14.020 --> 28:16.340]  That all went without a hitch.
[28:16.940 --> 28:19.220]  Flash the BMS with its new bootloader,
[28:19.220 --> 28:22.300]  flash the BMS with its new application firmware,
[28:22.300 --> 28:25.960]  updated internal.dat, changed the pack ID,
[28:25.960 --> 28:28.400]  and then tried to do a firmware redeploy,
[28:28.400 --> 28:29.800]  which is the thing that you have to do
[28:29.800 --> 28:31.680]  after you change any component on the vehicle
[28:32.260 --> 28:33.700]  and then drive away, right?
[28:33.800 --> 28:35.580]  No, no.
[28:35.580 --> 28:37.280]  This is where the fun begins.
[28:38.200 --> 28:42.140]  I used every known technique that I've used before.
[28:42.140 --> 28:43.540]  I've tried putting on new firmware.
[28:43.540 --> 28:45.440]  I messed with this for a day and a half.
[28:45.760 --> 28:48.800]  I think I aged myself quite a bit,
[28:48.800 --> 28:50.440]  but I didn't want to stress myself out.
[28:51.080 --> 28:52.240]  It failed.
[28:52.240 --> 28:54.900]  It would not redeploy.
[28:54.980 --> 28:56.460]  It would not reinstall.
[28:56.460 --> 28:58.800]  I was getting an error every single time.
[28:59.040 --> 29:03.480]  So I started logging a lot of data,
[29:04.360 --> 29:07.360]  tried to troubleshoot, couldn't figure it out,
[29:07.360 --> 29:08.780]  was stressed out.
[29:08.840 --> 29:11.900]  Finally just said, screw it,
[29:11.900 --> 29:14.940]  towed the car from Manchurian-Cucamonga back to Vegas
[29:14.940 --> 29:17.340]  so I can continue to work on it.
[29:17.340 --> 29:21.600]  But it only cost $360 or $3,600.
[29:22.020 --> 29:24.820]  So not great, not terrible, right?
[29:25.240 --> 29:27.020]  But I learned something cool.
[29:27.800 --> 29:29.440]  I was able to figure something else out.
[29:29.440 --> 29:32.980]  So flew home, started messing with my bench,
[29:32.980 --> 29:35.140]  trying to replicate this condition,
[29:35.140 --> 29:38.800]  dug through my error logs that I copiously captured
[29:38.800 --> 29:39.920]  and I was noticing an error
[29:39.920 --> 29:42.660]  mentioning something called firmware.rc.
[29:42.660 --> 29:45.180]  The file was generating some type of error.
[29:45.920 --> 29:48.360]  It turns out the gateway uses this as a validation check
[29:49.200 --> 29:50.780]  and the values in it are calculated
[29:50.780 --> 29:52.300]  during the upgrade and redeploy.
[29:55.140 --> 29:59.180]  So in this file stores all these CRC values.
[29:59.180 --> 30:01.800]  So I had seen one other reference to it.
[30:01.980 --> 30:04.000]  The Tencent guys had done a previous
[30:04.000 --> 30:05.480]  Tesla hacking presentation
[30:05.880 --> 30:08.220]  where they talked about how the gateway used this file.
[30:08.480 --> 30:10.800]  So I went to the gateway and said,
[30:10.800 --> 30:13.240]  instead of gwtransferinternal.dat,
[30:14.000 --> 30:15.000]  gwtransferfirmware.rc
[30:15.000 --> 30:16.700]  and boom, it gave me the file.
[30:16.780 --> 30:18.920]  I saw it and it had all these CRC values.
[30:18.920 --> 30:22.840]  So all I had to do was look up from the,
[30:23.960 --> 30:27.500]  there's a map of files for this specific BMS firmware
[30:27.500 --> 30:29.600]  that it's supposed to be running for that pack ID
[30:29.600 --> 30:31.800]  and that version of software,
[30:31.800 --> 30:34.280]  made sure that version of software or firmware
[30:34.280 --> 30:39.340]  was running on the BMS and then grabbed its CRC value.
[30:39.560 --> 30:41.640]  Replaced the CRC value in firmware.rc
[30:41.640 --> 30:44.240]  with the value for the new pack ID.
[30:45.540 --> 30:46.880]  And then if you look here at the end,
[30:46.880 --> 30:49.880]  you can see there's a separate one for file CRC.
[30:50.920 --> 30:53.420]  There's even little values for the door handles,
[30:53.420 --> 30:55.900]  this drfp and drrp,
[30:55.900 --> 30:58.460]  those are values for the various door handles.
[30:58.720 --> 31:00.220]  So if you upgrade the door handle,
[31:00.220 --> 31:03.000]  the new firmware, firmware.rc has to be changed.
[31:04.280 --> 31:05.860]  It turns out I had a new door handle
[31:05.860 --> 31:07.620]  that I actually had to change to,
[31:07.620 --> 31:08.960]  but it wasn't causing an error
[31:08.960 --> 31:11.300]  that wasn't causing the vehicle to be able to operate.
[31:11.300 --> 31:15.040]  So what you do is you strip off the CRC line,
[31:15.040 --> 31:16.660]  calculate the new CRC.
[31:16.660 --> 31:18.960]  It turns out it's a jammed CRC 32.
[31:18.960 --> 31:21.380]  Someone else figured that out while they're helping me.
[31:21.380 --> 31:22.840]  I didn't figure that out myself.
[31:24.440 --> 31:26.300]  And then put the file back on the gateway.
[31:26.300 --> 31:27.720]  And after I did that, the car woke up,
[31:27.720 --> 31:31.780]  the errors cleared, and that was the problem.
[31:31.780 --> 31:33.320]  And I eventually figured out the reason
[31:33.320 --> 31:34.500]  for the other failure.
[31:35.000 --> 31:37.540]  I'm not gonna talk about that, it's really embarrassing.
[31:37.840 --> 31:39.380]  It was something I added to the car
[31:39.380 --> 31:41.340]  that it didn't have, that it didn't need.
[31:41.960 --> 31:45.240]  But yeah, hit me up with a beer sometime
[31:45.240 --> 31:46.460]  and I'll talk about it.
[31:48.720 --> 31:51.760]  So here is the power before and after the upgrade.
[31:51.760 --> 31:54.600]  I grabbed the CAN bus data before.
[31:54.860 --> 31:58.180]  Before the upgrade, it had 1305 amps available.
[31:58.440 --> 31:59.660]  These are static values again.
[31:59.660 --> 32:00.800]  These aren't the ones that are available
[32:00.800 --> 32:01.840]  based on state of charge.
[32:01.840 --> 32:03.120]  These are a hard limit.
[32:03.480 --> 32:06.480]  After the upgrade, it had 1516 amps.
[32:06.480 --> 32:09.520]  But it actually has a separate CAN bus line 202
[32:09.520 --> 32:11.860]  instead of 702, the debug one,
[32:13.100 --> 32:15.720]  that actually has a slightly lower value.
[32:15.720 --> 32:17.040]  And I have no idea why.
[32:17.040 --> 32:19.300]  So if someone from Tesla wants to tell me,
[32:19.300 --> 32:20.500]  I'll keep it to myself.
[32:20.500 --> 32:24.260]  I'm just really curious why the vehicle has that extra
[32:25.540 --> 32:29.940]  16 plus eight, 24 amps of power missing.
[32:30.280 --> 32:34.960]  Actually 23.6 amps of power missing.
[32:34.960 --> 32:38.680]  So if you can tell me, I'm really curious about that.
[32:38.680 --> 32:40.860]  It doesn't look like there's any derating going on
[32:40.860 --> 32:43.220]  because that value right above it is there.
[32:43.220 --> 32:44.540]  It says derating active zero.
[32:44.540 --> 32:47.820]  So I'm assuming that means no, but I'm curious.
[32:49.500 --> 32:52.420]  Okay, so here's where we can take this project
[32:52.420 --> 32:53.680]  from here if you want to help.
[32:53.920 --> 32:57.260]  The TMS320 is supported in IDA Pro.
[32:57.260 --> 32:58.820]  I've actually got some stuff on that
[32:58.820 --> 33:01.360]  in the Car Hacking Village Deep Dive.
[33:02.180 --> 33:06.260]  Again, arbitrations AD72 and 202 defined max current.
[33:06.260 --> 33:09.000]  There's one more for the other drive inverter.
[33:09.000 --> 33:10.000]  I can't remember what it is.
[33:10.000 --> 33:12.700]  So it seems possible to increase speed behind ludicrous
[33:12.700 --> 33:13.960]  and actually do it safely.
[33:13.960 --> 33:15.480]  It has been done by others.
[33:15.860 --> 33:17.960]  There's a guy back East who actually has
[33:18.380 --> 33:23.640]  a rear wheel drive P85 that he faked the unit out
[33:23.640 --> 33:26.960]  and basically created a CAN bus emulator
[33:26.960 --> 33:28.220]  for the front drive unit
[33:28.220 --> 33:34.020]  and bumped the VMS beyond the limits that it can handle.
[33:34.040 --> 33:36.460]  So it seems that all you have to do is go into that firmware
[33:36.460 --> 33:38.200]  and bump the values up a bit.
[33:38.360 --> 33:41.560]  You can probably even recalculate the CRC value.
[33:41.560 --> 33:46.100]  And it looks like, since we know how to change the gateway,
[33:46.100 --> 33:47.720]  we can just change that as well.
[33:47.860 --> 33:49.820]  But it can be dangerous if you take this too far,
[33:49.820 --> 33:51.140]  you're gonna burn up the car.
[33:51.140 --> 33:54.180]  You're gonna start blowing the individual cell fuses.
[33:54.760 --> 33:59.100]  But there is some room in there, it looks like.
[33:59.100 --> 34:02.440]  The current amp drain for the Model S batteries,
[34:02.440 --> 34:05.260]  it's only like 6.6 C, 20 amps per cell.
[34:05.540 --> 34:07.420]  For those of you who worked in RC before,
[34:07.420 --> 34:09.500]  you know that you can actually go beyond that
[34:09.500 --> 34:11.260]  for short periods of time.
[34:11.700 --> 34:14.140]  But who knows what the IGPTs
[34:14.140 --> 34:15.860]  within the drive unit can handle.
[34:15.860 --> 34:18.960]  You blow those, you're looking at a really expensive upgrade.
[34:19.460 --> 34:22.260]  But again, I just wanna reverse engineer this
[34:22.260 --> 34:24.720]  for the personal point of reverse engineering.
[34:24.720 --> 34:27.220]  I wanna understand where these values are stored
[34:27.860 --> 34:30.660]  so that others more brave than I can actually
[34:31.260 --> 34:33.900]  turn their cars into true drag monsters.
[34:34.760 --> 34:38.200]  Put in better batteries,
[34:38.200 --> 34:39.640]  maybe double up on the number of batteries
[34:39.640 --> 34:44.000]  and just turn their Model S's into just things
[34:44.000 --> 34:46.260]  that annihilate everything else on the track.
[34:46.540 --> 34:48.600]  I'd also like to understand the shunt parameters,
[34:48.600 --> 34:50.580]  CAU1, CGI1, I don't know what those are,
[34:50.580 --> 34:51.680]  I just know they had to change.
[34:51.680 --> 34:55.000]  So again, come check out the Car Hacking Village Deep Dive
[34:56.700 --> 35:00.420]  and we'll do some more analysis of the firmware,
[35:00.420 --> 35:02.540]  we'll actually show where you can take a project from here.
[35:03.500 --> 35:06.940]  So reference materials, I had to remove the first link
[35:06.940 --> 35:09.940]  so we don't have a copyright, that was the first thing.
[35:11.180 --> 35:13.340]  But again, thank you to the Space Vessels Moving
[35:13.340 --> 35:15.040]  for inspiring Ludicrous Mode.
[35:15.260 --> 35:17.340]  And then the P85D announcement,
[35:17.340 --> 35:18.900]  the Ludicrous announcement.
[35:19.620 --> 35:21.760]  ElectroBoom, if you haven't checked out his YouTube page,
[35:21.760 --> 35:23.700]  pretty funny guy, he actually describes
[35:23.820 --> 35:25.740]  a current shunt better than I ever could.
[35:26.200 --> 35:29.680]  The data sheet for the TMS320 on TI's site,
[35:29.680 --> 35:33.120]  very helpful for the AIDA stuff that I was working on.
[35:33.120 --> 35:35.720]  I'd like to thank Intrepid Control Systems,
[35:35.720 --> 35:38.100]  they made the Vehicle Spy software.
[35:38.880 --> 35:40.780]  Bitbuster, thank you for letting me use your lift
[35:40.780 --> 35:44.540]  in your garage, it was invaluable in this work.
[35:44.660 --> 35:47.220]  The guys who helped me with the toolbox reversing,
[35:47.220 --> 35:49.340]  I know you are, thank you all,
[35:49.340 --> 35:51.300]  you're invaluable for all this work.
[35:51.600 --> 35:53.380]  And then the Tesla Security Team,
[35:53.380 --> 35:55.060]  thank you for actually letting me do this talk
[35:55.060 --> 35:57.300]  and being so supportive of this research.
[35:57.640 --> 36:02.520]  And then of course, all these names, the Model S, P85D,
[36:02.520 --> 36:04.780]  those are all registered trademarks of Tesla.
[36:04.860 --> 36:08.580]  We are not sponsored by or associated with Tesla in any way.
[36:10.000 --> 36:11.880]  And thank you for listening.
[36:11.880 --> 36:14.360]  We're gonna have a Q&A at some point later today,
[36:14.360 --> 36:16.400]  so bring your questions there,
[36:16.400 --> 36:17.900]  I'd be happy to answer them.
